governance and audit committeevtaorgcontent.s3-us-west-1.amazonaws.com/site_content/... · 2017. 5....

GOVERNANCE AND AUDIT COMMITTEE

Thursday, June 1, 2017

4:00 PM

Conference Room 157

County Government Center

70 West Hedding Street

San Jose, CA

AGENDA

CALL TO ORDER

1. ROLL CALL

2. PUBLIC PRESENTATIONS:

This portion of the agenda is reserved for persons desiring to address the Committee on any matter not on the agenda. Speakers are limited to 2 minutes. The law does not permit Committee action or extended discussion on any item not on the agenda except under special circumstances. If Committee action is requested, the matter can be placed on a subsequent agenda. All statements that require a response will be referred to staff for reply in writing.

3. ORDERS OF THE DAY

CONSENT AGENDA

4. ACTION ITEM - Approve the Regular Meeting Minutes of May 4, 2017.

5. ACTION ITEM -Review and receive the Auditor General's follow-up report on the implementation status of management's action plans contained in the Trapeze OPS Pre-Implementation Review performed during Fiscal Year 2014.

6. ACTION ITEM -Review and receive the Auditor General's follow-up report on the implementation status of management's action plans contained in the Public Safety Process Assessment performed during Fiscal Year 2014.

REGULAR AGENDA

7. ACTION ITEM -Review and receive the Auditor General's report on the Inventory and Assets Held at Outreach.

Santa Clara Valley Transportation Authority Governance and Audit Committee June 1, 2017

Page 2

8. ACTION ITEM -Review and receive the Auditor General's report on the Interagency Agreement Risk Assessment.

9. ACTION ITEM -Review and receive the Auditor General's follow-up report on the implementation status of management's action plans contained in the Sheriff's Office Contract Compliance Internal Audit performed during Fiscal Year 2013.

10. ACTION ITEM -Review and receive the Auditor General's follow-up report on the implementation status of management's action plans contained in the Operator Scheduling Assessment performed during Fiscal Year 2015.

11. INFORMATION ITEM -Receive an update from Auditor General Office staff on the status of projects contained in the current Internal Audit Work Plan.

12. DISCUSSION ITEM -Review and discuss the applications from individuals seeking to serve on the 2016 Measure B Citizens' Oversight Committee evaluated by the Board subcommittee.

OTHER ITEMS

13. Items of Concern and Referral to Administration.

14. Review Committee Work Plan. (Fernandez)

15. Committee Staff Report. (Fernandez)

16. Chairperson's Report. (Bruins)

17. Determine Items for the Consent Agenda for future VTA Board of Directors' meetings.

18. ANNOUNCEMENTS

19. ADJOURN

In accordance with the Americans with Disabilities Act (ADA) and Title VI of the Civil Rights Act of 1964, VTA will make reasonable arrangements to ensure meaningful access to its meetings for persons who have disabilities and for persons with limited English proficiency who need translation and interpretation services. Individuals requiring ADA accommodations should notify the Board Secretary’s Office at least 48-hours prior to the meeting. Individuals requiring language assistance should notify the Board Secretary’s Office at least 72-hours prior to the meeting. The Board Secretary may be contacted at (408) 321-5680 or [email protected] or (408) 321-2330 (TTY only). VTA’s home page is www.vta.org or visit us on www.facebook.com/scvta. (408) 321-2300: 中文 / Español / 日本語 / 한국어 / tiếng Việt / Tagalog.

Disclosure of Campaign Contributions to Board Members (Government Code Section 84308) In accordance with Government Code Section 84308, no VTA Board Member shall accept, solicit, or direct a contribution of more than $250 from any party, or his or her agent, or from any participant, or his or her agent, while a proceeding involving a license, permit, or other entitlement

Santa Clara Valley Transportation Authority Governance and Audit Committee June 1, 2017

Page 3

for use is pending before the agency. Any Board Member who has received a contribution within the preceding 12 months in an amount of more than $250 from a party or from any agent or participant shall disclose that fact on the record of the proceeding and shall not make, participate in making, or in any way attempt to use his or her official position to influence the decision. A party to a proceeding before VTA shall disclose on the record of the proceeding any contribution in an amount of more than $250 made within the preceding 12 months by the party, or his or her agent, to any Board Member. No party, or his or her agent, shall make a contribution of more than $250 to any Board Member during the proceeding and for three months following the date a final decision is rendered by the agency in the proceeding. The foregoing statements are limited in their entirety by the provisions of Section 84308 and parties are urged to consult with their own legal counsel regarding the requirements of the law.

All reports for items on the open meeting agenda are available for review in the Board Secretary’s Office, 3331 North First Street, San Jose, California, (408) 321-5680, the Monday, Tuesday, and Wednesday prior to the meeting. This information is available on VTA’s website at http://www.vta.org and also at the meeting.

NOTE: THE BOARD OF DIRECTORS MAY ACCEPT, REJECT OR MODIFY

ANY ACTION RECOMMENDED ON THIS AGENDA.

Governance and Audit Committee

Thursday, May 4, 2017

MINUTES

CALL TO ORDER

The Regular Meeting of the Governance and Audit Committee (“Committee”) was called to

order at 4:01 p.m. by Chairperson Bruins in Conference Room 157, County Government Center,

70 West Hedding, San Jose, California.

1. ROLL CALL

Attendee Name Title Status

Jeannie Bruins Chairperson Present

Cindy Chavez Member Present

Glenn Hendricks Member Present

Sam Liccardo Vice Chairperson Present

Teresa O'Neill Member Present

A quorum was present.

2. PUBLIC PRESENTATIONS:

There were no Public Presentations.

3. ORDERS OF THE DAY

Chairperson Bruins requested to hear items on the Regular Agenda, before Closed

Session until Vice Chairperson Liccardo's arrival.

M/S/C (Chavez/Hendricks) to accept the Orders of the Day.

RESULT:

MOVER:

SECONDER:

AYES:

NOES:

ABSENT:

APPROVED – Orders of the Day

Cindy Chavez, Member

Glenn Hendricks, Member

Bruins, Chavez, Hendricks, O’Neill

None

Liccardo

NOTE: M/S/C MEANS MOTION SECONDED AND CARRIED AND, UNLESS OTHERWISE INDICATED,

THE MOTION PASSED UNANIMOUSLY.

4

Governance and Audit Committee Minutes Page 2 of 5 May 4, 2017

CONSENT AGENDA

4. Regular Meeting Minutes of March 2, 2017

M/S/C (Chavez/Hendricks) to approve the Regular Meeting Minutes of March 2, 2017.

5. Amend the VTA Administrative Code to Establish the 2016 Measure B Citizens

Oversight Committee and Approve the Committee Bylaws

M/S/C (Chavez/Hendricks) to recommend that the VTA Board of Directors: (1) adopt a

resolution amending the VTA Administrative Code to establish the 2016 Measure B

Citizens’ Oversight Committee; and (2) approve the bylaws for that committee.

6. Ratification of Appointments to the Bicycle & Pedestrian Advisory Committee

M/S/C (Chavez/Hendricks) to ratify the appointments of: 1) Susan Cretekos, Town of

Los Altos Hills; 2) Carolyn Schimandle, City of Gilroy; and 3) Erik Lindskog, City of

Cupertino, to the Bicycle & Pedestrian Advisory Committee for the two-year term ending

June 30, 2018.

RESULT:

MOVER:

SECONDER:

AYES:

NOES:

ABSENT:

APPROVED – Consent Agenda Items #4 - #6




None

Liccardo

The Agenda was taken out of order.

REGULAR AGENDA

10. Information Technology (IT) Development and Project Management Assessment

Pat Hagan, Auditor General's Office, provided the report, highlighting areas of concern

and Auditor General’s recommendations for consideration.

Gary Miskell, Chief Information Officer, provided an overview of Management’s Action

Plan, including efforts in the areas of agency-wide oversight, IT governance process,

change management process and controls, and project management and performance

monitoring.

Members of the Committee made the following comments: 1) asked about staff training

process, key performance indicators, and security as it relates to access control;

2) requested information on steering committee charter; 3) change management pre-roll

out could help inform post-roll out; 4) suggested “Project Management” might be better

referred to as “Program Management”; and 5) commended staff on a sound action plan.

4


M/S/C (Chavez/O'Neill) to review and receive the Auditor General's report on the IT

Development and Project Management Assessment.

RESULT:

MOVER:

SECONDER:

AYES:

NOES:

ABSENT:

APPROVED – Agenda Item #10


Teresa O’Neill, Member


None

Liccardo

Vice Chairperson Liccardo arrived at the meeting and took his seat at 4:23 p.m.

11. Investment Program Controls Internal Audit -- FY 2017

M/S/C (Chavez/Hendricks) to review and receive the Auditor General's report on the

Investment Program Controls Internal Audit performed during Fiscal Year (FY) 2017.

RESULT:

MOVER:

SECONDER:

AYES:

NOES:

ABSENT:




Bruins, Chavez, Hendricks, Liccardo O’Neill

None

None

12. Review Status of Internal Audit Work Plan

On order of Chairperson Bruins and there being no objection, the Committee received

an update from Auditor General Office staff on the status of projects contained in the

current Internal Audit Work Plan.

7. Recess to Closed Session at 4:24 p.m.

A. THREAT TO PUBLIC SERVICES OR AGENCY INFORMATION

(Government Code Section 54957)

Consultation with Chief Information Officer, Gary Miskell

8. Reconvened to Open Session at 4:53 p.m.

9. Closed Session Report

Evelynn Tran, Deputy General Counsel, noted no reportable action was taken during

Closed Session.

4


REGULAR AGENDA (continued)

13. Recommended FY 2018 & FY 2019 Internal Audit Work Plans

Bill Eggert, Auditor General, provided a brief overview of the proposed internal audit

work plan.

After a brief discussion, Members of the Committee provided direction to defer the Cyber

Security Assessment in the proposed FY 2018 Internal Audit Work Plan.

M/S/C (Liccardo/Chavez) to recommend Board approval of the Auditor General’s

recommended Internal Audit Work Plans for the next two fiscal years (FY) for a

maximum amount of $465,000 for FY 2018 and $465,000 for FY 2019.

RESULT:

MOVER:

SECONDER:

AYES:

NOES:

ABSENT:


Sam Liccardo, Vice Chairperson


Bruins, Chavez, Hendricks, Liccardo O’Neill

None

None

OTHER ITEMS

14. Items of Concern and Referral to Administration

The Committee expressed appreciation to the Auditor General and staff for their

presentations.

15. Committee Work Plan

Nuria I. Fernandez, General Manager and CEO, provided a brief overview of the work

plan and noted the next Committee meeting is scheduled for June 1, 2017.

On order of Chairperson Bruins and there being no objection, the Committee reviewed

the Committee Work Plan.

16. Committee Staff Report

There was no Committee Staff Report.

17. Chairperson's Report

There was no Chairperson's Report.

4


18. Determine Items for the Consent Agenda for future VTA Board of Directors'

Meetings

CONSENT:

Agenda Item #5., Recommend that the Board of Directors: (1) adopt a resolution

amending the VTA Administrative Code to establish the 2016 Measure B Citizens’

Oversight Committee; and (2) approve the bylaws for that committee.

Agenda Item #10., Review and receive the Auditor General's report on the IT

Development and Project Management Assessment.

Agenda Item #11., Review and receive the Auditor General's report on the Investment

Program Controls Internal Audit performed during Fiscal Year 2017.

REGULAR:

Agenda Item #13., Recommend Board approval of the Auditor General’s recommended

Internal Audit Work Plans for the next two fiscal years (FY) for a maximum amount of

$531,000 for FY 2018 and $465,000 for FY 2019.

19. ANNOUNCEMENTS

Ms. Fernandez announced VTA will co-host the Movers and Shakers bike ride with the

Silicon Valley Bicycle Coalition on Bike to Work Day on May 11, 2017. The bike ride

will begin at the Martin Luther King, Jr., Library in San Jose, and end at VTA's River

Oaks Administrative Offices via the Guadalupe River Trail.

20. ADJOURNMENT

On order of Chairperson Bruins and there being no objection, the Committee was

adjourned at 4:59 p.m.

Respectfully submitted,

Michelle Oblena, Board Assistant

VTA Office of the Board Secretary

4

Date: May 22, 2017Current Meeting: June 1, 2017Board Meeting: August 3, 2017

BOARD MEMORANDUM

TO: Santa Clara Valley Transportation AuthorityGovernance and Audit Committee

FROM: Auditor General, Bill Eggert

SUBJECT: Follow-Up on the Trapeze OPS Pre-Implementation Review

Policy-Related Action: No Government Code Section 84308 Applies: No

ACTION ITEM

RECOMMENDATION:

Review and receive the Auditor General's follow-up report on the implementation status of management's action plans contained in the Trapeze OPS Pre-Implementation Review performed during Fiscal Year 2014.

BACKGROUND:

VTA’s Auditor General’s Office is responsible for conducting the internal audits specified in the Board-approved Internal Audit Work Plan. It is also responsible for determining the implementation status, adequacy and timeliness of corrective actions that VTA management committed to implement on reported observations and recommendations contained in these internal audits.

In Fiscal Year 2014, the Auditor General’s Office completed the Trapeze OPS Pre-Implementation Review. The primary objective of this project was to review VTA’s implementation plan for Trapeze OPS and provide recommendations to the project team to help ensure as integrated and seamless of a transition as possible by minimizing the occurrence and magnitude of transition errors, especially regarding time capture/payroll processing. To achieve this objective, we observed specific concerns and communicated these concerns real-time to the VTA project team. All recommendations were discussed and many were confirmed during fieldwork as having been remediated immediately by VTA.

Based on the work performed, an overall Medium level of potential opportunity for process improvement was issued, based on twelve identified areas of potential process improvement:

5

of 3

eight judged as Low risk, and four judged as Medium risk.

5

of 3

VTA management agreed with all Auditor General’s Office recommendations. It committed to implement all recommendations by the end of December 2014.

Recommendations of opportunities for improvement contained in that report were presented by the Auditor General for consideration by the VTA Board of Directors, Governance & Audit Committee and management, which are solely responsible for the effective implementation of any recommendation.

DISCUSSION:

In March and April 2017, the Auditor General’s Office completed its follow-up process to assess if the management action plans specified in the Trapeze OPS Pre-Implementation Review had been completed. The results of this follow-up, as well as a summary of the findings, recommendations and VTA management responses from the subject report, are included on Attachment A.

Based on the evidence submitted by VTA, we have confirmed that the recommendations have been successfully implemented.

FISCAL IMPACT:

There is no financial impact associated with acceptance of this report.

Prepared by: Lily Rogers, AG's Office and Stephen Flynn, Advisory Committee CoordinatorMemo No. 6130

ATTACHMENTS:

• A--Followup on Trapeze OPS Pre-Implementation (PDF)

5

# Observation Recommendation Management Response Recommendation Implementation Status

1 Change Requests Related to Trapeze OPS

VTA is currently relying on the vendor (Trapeze) to perform development functions and provide

implementation guidance, and as a result is minimizing the risk of improper coding through

Trapeze’s formal change management process. However, we observed that VTA is not following

its own change management procedures to update patches and releases in the test/training

environment once the developed portion of the system is ready to be released onto VTA’s

environment. The objective of the change management process is to ensure changes are

authorized, made in a timely manner, and occur with minimal errors. This process includes

tracking and approving standard changes and emergency maintenance relating to business

processes, applications and infrastructure.

VTA should also be consistent in following

formal change management procedures to

update patches and releases in the test/

training environment.

VTA agrees with the recommendation.

Change management procedures have been

implemented and are now in place for patches

and release updates in the test/training

environment.

Target Date: June 30, 2014

Auditor General's Office:

Status: Complete

VTA management has implemented change management procedures for updates and

releases in Trapeze. VTA utilizes 3 environments, including training, development, and

production, and ensures that all changes and updates to the final production database are

properly authorized.

2a Application Security - Segregation of Duties

Management plans for the Operations Systems Supervisor to grant user access rights. However,

the Operations Systems Supervisor also utilizes Trapeze OPS for other daily responsibilities,

thereby creating a potential segregation of duties conflict.

System/application administrator roles for

granting, modifying or removing access

should be limited to IT. Additionally, a proper

approval process should be followed that

ensures changes to roles and responsibilities

do not create conflicts.

VTA partially agrees with the

recommendation. Administration of user

security will be transitioned to Technology by

October 2014. The Operations Systems

Supervisor, who is the VTA expert in

determining appropriate user functions, will

continue to have access to user groups or

roles.

Target Date: October 31, 2014


Status: Complete

The Operations System Supervisor continues to have access to user groups and roles. The

administration of user security and system passwords has transitioned to Information

Technology. All Information Technology personnel have received training on user access

management.

2b Application Security - New User Access

Management is in process but has not yet completed updating their policy around issuance of

granting and removing access to Trapeze OPS. The user access change form has also not been

updated to include Trapeze OPS groups, workspaces and/or permissions.

Management should complete the previously

started user access policy (addressing

access administration, authorization for

adding users, modifications to user

permissions, removal of access, and periodic

access review) before going live of Trapeze

OPS. We also recommend that the existing

Create Modify User Account Form be revised

to incorporate Trapeze OPS groups and

permissions. Additionally, permission

modifications should be documented using

the revised Create Modify User Account Form

to ensure appropriate authorization is

obtained before changes are implemented.

Management should also require a

documented independent user access review

be conducted for Trapeze OPS on at least a

yearly basis. This review should include a

review of all user accounts to determine if the

account is still needed, appropriateness of

access levels, etc. The documentation

should include exceptions discovered and

corrected, impact of each exception, date and

who performed the review.

VTA agrees with the recommendation. User

request forms are in place. In addition, VTA

developed automated scripts that run daily to

monitor user account exceptions.



Status: Complete

VTA Operations has put in place a User Access Form for all new Trapeze users and

changes to Trapeze access. User Access Form includes four workspaces for bidding,

timekeeping, dispatching, and workforce management. All User Access Forms require the

user's and manager's signatures before processing. Requests are reviewed, approved, and

processed by Operations. An automated email is generated when a Trapeze user is

separated from VTA that prompts a change in user access.

2c Application Security - Unique User Accounts

Per inspection of the Trapeze OPS user access listing on April 3, 2014, two users have more than

one user name. Also, there were eleven user names set up that do not follow the standard user

name naming convention of “Lastname_f”, where f = first initial. Ensuring that all users (internal,

external and temporary) and their activity on IT systems (business application, IT infrastructure,

system operations, development and maintenance) are uniquely identifiable will help confirm if

data access rights are in accordance with their business requirements.

Management should reset non-compliant

user names in order to adhere to the

standard user name convention in place.

Also, for users with multiple user names,

Management should disable additional

accounts unless there is a clear business

purpose or consider reviewing the user

access logs to ensure user activity is limited

to perform daily job functions.

VTA agrees with the recommendation and is

resetting and/or disabling non-complaint

accounts.



Status: Complete

In July 2016 VTA deployed LDAP (Lightweight Directory Access Protocol), a software

protocol derived from the Windows Active Directory that does not allow duplication of

accounts. A Single Sign On approach has been adopted. Corrections were made to disable

additional accounts of users with multiple accounts as part of the LDAP deployment. At the

time of review, no individuals had more than one account.

June 1, 2017

Follow-up Report: Trapeze OPS Pre-Implementation Review

VTA Auditor General's Office

1 of 3

5.a


2d Application Security - Password Policy

Per inspection of the Trapeze OPS password parameters on April 3, 2014, passwords are not

required to be changed at any time after initial setup.

Management should consider additional

configuration standards for password

policies/settings to enforce requirements for

strong passwords, including industry

standards such as:

Forced password change interval of 30 – 90

days

Minimum password length of 10 characters,

including letters, numbers, and requiring at

least one capital letter; including special

characters (e.g., &, *, !, etc…), will increase

complexity and greatly increase overall

password security

Require a rotation of at least three passwords

before a one can be reused

Management should consider adding a

session timeout for the application, to help

prevent unauthorized access. Session

timeouts could vary depending on the job

function being performed.

VTA agrees with the recommendation and will

implement a password management policy

similar to that used for other VTA systems by

October 31, 2014.

Target Date: October 31, 2014


Status: Complete

Information Technology created a Trapeze password policy similar to the standard VTA

password policy, which included a forced password change interval of 120 days, a

requirement to use at least one letter and number, and a requirement that passwords be

different from the previous 3 passwords used. The July 2016 deployment of the LDAP

software protocol forces application password policies to be in line with standard VTA

password policies. Network passwords are now used to log in to Trapeze products.

2e Application Security - Security Groups

Two users under the same job role will initially have identical permissions, however, further unique

permissions can be assigned to an individual user and create challenges in the monitoring

process of user access rights.

Management should avoid authorization of

individual permission changes and promote

the use of standard group assignments

based on job

roles/responsibilities, where reasonably

feasible.


Standard group assignments are in place.



Status: Complete

VTA has implemented standard workspaces which govern user access. Users are assigned

to a workspace for bidding, timekeeping, dispatching, or workforce management, all of which

have standard group assignments and access levels. Users are further divided into specific

user groups within these workspaces in order to standardize user access according to user

role.

3 User Acceptance Testing (UAT) Process for Customized Functions - Dispatch and

Workforce Management Testing

Per review over testing plans including test cases and tester approval on April 3, 2014, the tester

did not include reports, screenshots, or other documents to demonstrate the support used to

determine whether the test passed or failed. Management maintains a log with tester approval

signoffs, however, formal documentation demonstrating IT and/or Project Manager approval was

not provided.

Management should retain support used to

determine a test passing or failing.

VTA agrees with the recommendation and

implemented the recommended approach

during the testing phase of the project.



Status: Complete

VTA now maintains a status log of all test scripts which details the script number,

description, testing status (pass/fail), additional comments, and the test script status. All

support related to testing status is retained.

4a Processing Integrity Review Process - SAP Employee and Vehicle Maintenance - Imported

Data

We noted inconsistencies such as informal checkpoints and incomplete reconciliations of data

elements in the method of verifying data and/or transactions transmitted was accurate, complete

and valid.

In addition, we noted inconsistencies in the tracking and logging of test results and any associated

resolution.

A formal reconciliation process should be

designed to facilitate the complete and

accurate processing of information. A formal

reconciliation process should also be

established to include formal validations of

the imported or exported data, such as

confirmation through matching number

counts of selected records or field attributes.

VTA should identify, log and classify (e.g.,

minor, significant and mission-critical) errors

during testing, and repeat tests until all

significant errors have been resolved. VTA

should also ensure that an audit trail of test

results is maintained.

VTA agrees with the recommendation and

implemented the recommended approach

during the testing phase of the project.

Regular monitoring of interface data by the

System Administrators is in place.



Status: Complete

VTA has reconciled the information uploaded to Trapeze to the source data in SAP and has

verified that all information is processed accurately. VTA works to identify and solve any

errors as they arise. Systems Administrators regularly monitor data in SAP and Trapeze to

ensure validity.

4b Processing Integrity Review Process - System Integration - Bidding, Dispatch &

Timekeeping

We observed that UAT testing included various test scenarios and scripts, and focused on

accuracy as well as error resolution. However, daily, monthly and annual process streams and

data transmissions were not being formally tested for completeness and accuracy as of our field

work date (April 3, 2014).

A formal reconciliation process be designed

to ensure that information processing

considers daily, monthly and annual

processes and that information processing is

valid, complete, and accurate.

A formal reconciliation process should be

established to include formal validations of

the imported and exported data.

An exception threshold be agreed upon by

the VTA project team, such that error rates

exceeding 2% would be escalated for more

immediate remediation.

The System Administrators regularly monitor

the interface data. In addition, a formal

reconciliation of timekeeping data is

conducted every pay period.



Status: Complete

VTA users can generate a weekly timekeeping summary of their hours worked and pay code

by day. Timekeeping summary reports can also be generated for a division/employee type

for a given time period. Payroll provides feedback and relays errors in individual timekeeping

each pay period.

2 of 3

5.a


4c Processing Integrity Review Process - System Integration Review - Workforce Management

Per discussion with VTA during the week of 03/31/14, integrated testing has not begun since

historical data from VAP was recently converted into Trapeze OPS and undergoing testing. In

addition, there are several customization work orders still outstanding from the Trapeze vendor.

These multiple factors combined lead to greater potential to disrupt the implementation project.

However, we also acknowledge that VTA has considered alternative plans prior to going live.

VTA should determine an updated timeline

with the Trapeze vendor and hold the vendor

accountable to the set dates for remaining

customization delivery (such as a fee penalty

if not met) in order to allow time for testing.

Another option is to postpone implementation

of the Trapeze OPS -Workforce Management

module until all customizations are complete

and tested thoroughly; however, it has been

determined by the VTA project team that the

projected risk associated with this finding

would not warrant a delay in go-live.

VTA postponed implementation of the VAP

(VTA Attendance Program) module of

Trapeze OPS. VTA is currently testing this

module. The anticipated implementation of

the VAP module will be completed by the end

of 2014.

Target Date: December 31, 2014


Status: Complete

The VAP module of Trapeze OPS was initially delayed and is currently partially

implemented. Implementation is nearing completion and is scheduled to be completed by

the end of Fiscal Year 2017.

4d Processing Integrity Review Process - SAP Employee Data & Vehicle Maintenance

Transmission

VTA currently utilizes the Open Database Connectivity (ODBC) interface to automatically transmit

employee HR information (such as vacation and sick day balances) and vehicle maintenance

information from the SAP system to Trapeze OPS. We observed that there are no automated

alerts to notify if any records may be rejected or otherwise excluded during the automated

transmission process.

An alert notification feature or reporting

feature should be implemented to confirm all

records transmitted from SAP match the

records received into Trapeze OPS. This

would ensure that appropriate management

or system administrators are notified of any

records not successfully transmitted so that

the instance(s) could be investigated and

resolved timely.


Automated alerts notifying Systems

Administrators are now in place.



Status: Complete

VTA has implemented automated alerts related to errors in all interfaces. Any record error

will result in an automated alert sent to the database administrator for investigation.

5 Data Conversion Procedures

Per review over Historical Data Load Specifications, the data to be migrated consists of BDT data

and VAP data. During our review, Management provided email correspondence between

business owners and the project team stating VTA will no longer load BDT historical data into

Trapeze OPS, however, the Historical Data Load Specifications had not been updated to reflect

the significant change.

Management should consider formally

documenting the removal of BDT from the

scope of the data migration process and

business owners’ approval of the VAP data

fields.


Removal of BDT data migration scope was

documented while VAP data fields were

identified and approved by business process

owners.



Status: Complete

VTA has not loaded historical BDT data into Trapeze and has directed Trapeze to cancel the

historical load. BDT data was formally removed from the scope of the data migration

process.

3 of 3

5.a


BOARD MEMORANDUM



SUBJECT: Follow-Up on the Public Safety Process Assessment


ACTION ITEM

RECOMMENDATION:

Review and receive the Auditor General's follow-up report on the implementation status of management's action plans contained in the Public Safety Process Assessment performed during Fiscal Year 2014.

BACKGROUND:

VTA’s Auditor General’s Office is responsible for conducting the internal audits specified in the Board-approved Internal Audit Work Plan. It is also responsible for determining the implementation status, adequacy and timeliness of corrective actions that VTA management committed to implement on reported observations and recommendations contained in these internal audits.

During Fiscal Year 2016, the Auditor General’s Office completed the Public Safety Process Assessment. The primary objective of this review was to obtain an understanding of VTA’s Public Safety processes, validate our understanding of the processes through both documentation review and inspection and physical observation of in-place processes, and identify opportunities for process improvements.

Based on the work performed, an overall Low level of potential opportunity for process improvement was issued, based on five identified areas of potential process improvement: two judged as Medium potential, and three judged as Low.

VTA management agreed with all Auditor General’s Office recommendations. It committed to

6

of 3

implement all recommendations by the end of June 2016.

6

of 3

Recommendations of opportunities for improvement contained in that report were presented by the Auditor General for consideration by the VTA Board of Directors, Governance & Audit Committee and management, which are solely responsible for the effective implementation of any recommendation.

DISCUSSION:

In April and May 2017, the Auditor General’s Office completed its follow-up process to assess if the management action plans specified in the Public Safety Assessment had been completed. The results of this follow-up, as well as a summary of the findings, recommendations and VTA management responses from the subject report, are included on Attachment A.

Based on the evidence submitted by VTA, we have confirmed that the recommendations have been successfully implemented.

FISCAL IMPACT:


Prepared by: Lily Rogers, AG's Office and Stephen Flynn, Advisory Committee CoordinatorMemo No. 6131

ATTACHMENTS:

• A--Followup on Public Safety Process Assessment (PDF)

6



1.1 Security Staffing Levels and Capabilities:

The number of special events that VTA provides additional service to has increased significantly since the opening of both

Levi’s and Avaya Stadiums. Special events require additional security to ensure public safety due to increased ridership

and the nature of crowds at select special events. In its current state, VTA may not have the optimal level of security staff

or the right mix of security staff to adequately address increasing security concerns.

VTA utilizes three unique types of safety and security forces – law enforcement, Allied Barton (AB) security contractors,

and fare inspectors. Each group has unique responsibilities and capabilities within the organization. AB is seen as a force

multiplier who can detain, but their capabilities are limited because they cannot arrest or Mirandize. Therefore, many

responsibilities are shifted back to Transit Patrol that is staff by Santa Clara County Sheriff’s deputies. Fare Inspectors

provide a presence on light rail and the platforms/stations along the light rail line. They also act as a deterrent because

they identify potential security risks through fare inspection, however they do not have ability to run ID checks.

In order to mitigate security concerns and to mitigate the risk of public safety issues, VTA creates an operations plan that

includes procedures to mitigate risk. The operational plan takes into account expected attendance, the specific nature of

the event and associated patrons, and other factors to develop the plan and determine security staffing levels needed.

Additional staffing is comprised of Transit Patrol Sheriff’s deputies and AB security contractors.

We noted that Transit Patrol staffing levels have recently been increasing when four additional deputies were hired to

implement a third shift. However, 2015 Transit Patrol staffing levels are still below 1995 levels. While VTA now uses a

significant number of AB security contractors, there is a difference in capability and mission.

Transit Patrol staffing levels have not kept pace with the general expansion of VTA services. Current staffing

requirements stretch staffing levels in a suboptimal manner. Security staff may be performing duties that are better suited

for other members of VTA’s Protective Services to compensate for staff shortages. With future services planned, such as

the BART SV Extension service implementation, VTA may find it difficult to provide necessary security without additional

security forces.

VTA should evaluate existing staffing levels

and capabilities of law enforcement, private

security, and fare inspectors in conjunction

with projected needs for BART SV service

implementation and ongoing special events,

to identify what VTA’s ideal staffing levels

would be to meet the Board’s strategic

vision for public safety and accomplishing

operating priorities on an ongoing,

sustainable basis. VTA should also consider

all types of resources that could be utilized

(i.e., sheriff technicians in lieu of fare

inspectors, since fare inspectors cannot run

ID checks and execute law-enforcement

tasks, this results in Sheriff’s Office staff

being taken away from primary

responsibilities).

VTA management concurs with the

recommendation. VTA will evaluate staffing

levels and capabilities of law enforcement,

private security and fare enforcement personnel

with projected needs for BART SV service

implementation and ongoing special events to

identify VTA’s ideal staffing levels insuring that

we are meeting the Board’s strategic vision for

public safety and accomplishing operating

priorities. VTA management will also consider the

best and most efficient use of resources to insure

best use of staff available.

Responsible Party: Manager of Protective

Services Programs



Status: Complete

VTA management has evaluated existing staffing levels and the need for

additional staff. Protective Services has amended the County of Santa

Clara Sheriff's Office contract to allow for additional resources. In addition,

Protective Services constantly evaluates staffing to allow the best and

most efficient use of resources.


1.2 AB is contracted to monitor and manage the Closed Circuit Television (CCTV) control room. AB security contractors

who monitor the control room have specialized technical skills as outlined in the contract. One benefit to contracting out

CCTV control room monitoring is the number of AB resources with technical CCTV expertise.

One concern is that VTA does not have a staff member from the Sheriff’s Office or a VTA employee managing the CCTV

room. The use of video footage is an important and sensitive aspect of law enforcement that must be managed properly.

It is very important that an accurate chain of custody be maintained for data which could be requested for evidentiary

reasons. VTA management of the CCTV control room could also provide stronger controls to prevent video footage leaks.

VTA should formally evaluate the costs and

benefits of contracting out CCTV control

room management. Based on discussions

with members of Protective Services, it is

clear that there are benefits to using a VTA

employee to manage the CCTV control

room.


recommendation. VTA will evaluate the costs

and benefits of staffing the CCTV control room

with VTA personnel.

Responsible Party: Director of Safety and

Security



Status: Complete

Protective Services has evaluated the costs and benefits of staffing the

CCTV control room with VTA personnel. At the time of review, budget

constraints do not allow for complete VTA management of the CCTV

room. Staff coverage of the CCTV room has been expanded to include

coverage from 0600 to 0200 hours and VTA is exploring the possibility of

staffing two officers during peak hours. In addition, there is a designated

"on-call CCTV officer" for major incidents which occur over the weekend.


1.3 AB security contractor training is a key requirement of the contract between VTA and AB. VTA’s annual audit of the

AB contract includes significant testing of training compliance which highlights the importance that VTA places on utilizing

well-trained security contractors. While AB security contractors undergo extensive training, they are not required to have

Crisis Intervention Training (CIT) that is focused on helping law enforcement to appropriately react in situations involving

mental health or developmental disability to prevent unnecessary escalation. This is currently a requirement for Transit

Patrol as part of the Sheriff’s Office training. CIT training is another example of differences in security capability. It also

highlights the need to evaluate that the right mix of security forces are used.

Additionally, AB security contractors do not undergo formal Implicit Bias (IB) training or Customer Service (CS) training.

Implicit Bias training reinforces to officers the importance of not allowing personal biases influence their decision-making in

situations. Also, though many AB security contractors are known to have received some sort of CS training in the past,

there is no uniform training which all have received.

VTA should evaluate the costs and benefit

of requiring Allied Barton security

contractors to receive CIT training to ensure

its security presence has the adequate skills

to effectively de-escalate and manage

potential crises.

VTA should also consider the costs and

benefit around both IB and CS training.

Such training can enhance the AB security

contractors’ ability to fairly work with

passengers, especially in tense or

controversial situations.

VTA may also benefit by considering the

feasibility of AB contractors participating with

other law enforcement agencies’ CIT, IB,

and CS training to save on costs.



and benefit of requiring Allied Barton security

contractors to receive CIT, IB, and CS training.


Services Programs



Status: Complete

At the time of review, Allied Universal (formerly Allied Barton) security

contractors are required to receive CIT training focused on de-escalation

and nonviolent crisis intervention. Protective Services provided detail

reports showing mandatory security contractor training provided to all

Allied Universal employees. In addition, security contractors will receive

additional training on mental health, first response, and de-escalation if

they display poor judgment.

June 1, 2017

Follow-up Report: Public Safety Process Assessment


1 of 3

6.a



1.4 The CCTV control room is staffed during business hours by AB security contractors. They monitor television monitors,

review previously taped footage, and pull requested footage if necessary. The CCTV control room is currently not staffed

on nights and weekends. If footage of events is requested on weekends or at night, then a member of VTA will need to

respond to the request.

VTA should evaluate whether 24/7 staffing

of the CCTV control room would be

beneficial. Considerations should include

the cost of staffing, other supplementary

work that could be performed by security

staff working on weekends and nights, and

the overall benefit to have real time

monitoring and resources to pull video

footage immediately when requested.



and benefit of 24/7 staffing of the CCTV control

room.


Services Programs



Status: Complete

Protective Services has evaluated the costs and benefits of 24/7 staffing

of the CCTV control room. Budget constraints do not allow for 24/7

staffing, however, staff coverage of the CCTV room has been expanded

to include coverage from 0600 to 0200 hours. In addition, there is a

designated "on-call CCTV officer" for major incidents which occur over the

weekend.

2.1 IndustrySafe Reporting and Audit Module Functionality:

2.1 Operator incident reporting is manually entered into IndustrySafe, a web-based product used to record, track and

identify safety trouble areas. This manual process entails paper forms, supervisor review, transfer to the Protective

Services office, and data entry by an administrator. Through inquiry it was revealed that there is a backlog of incident

reports that have not been entered into the IndustrySafe system. While we were informed that incidents of greater

severity were entered into the system, other incident reports would not be visible if a query was run. The backlog of

incident reports limits the value of analysis and reporting from IndustrySafe.

VTA should devote resources to eliminate

the backlog of incident reports. VTA should

also evaluate the manual nature of incident

reporting. Process improvements that

allow or encourage operators to enter

incidents directly into IndustrySafe should be

explored. We understand that incident

reports need to be reviewed by a Supervisor

and there are issues with providing tablets

or computer access to operators, but

exploring automation opportunities could

greatly enhance the speed with which

reports are entered into IndustrySafe and

available for analysis and reporting.


recommendation. VTA will devote resources to

eliminate the backlog of incident reports. VTA will

also evaluate the manual nature of incident

reporting and will explore automation.


Services Programs

Target Date: March 31, 2016


Status: Complete

Protective Services will explore possible automation opportunities related

to incident reports as the expiration date for the current contract

approaches. At the time of review, the backlog of incident reports has

been eliminated. Protective Services is working with operators to clarify

the incident reporting process and the information required to be

submitted with each report.


2.2 Incident reporting out of IndustrySafe is inadequate to provide relevant and meaningful reporting in an efficient

manner. Through inquiry and observation it was evident that Protective Services had limited ability to generate

IndustrySafe reports that could be used for analysis or reporting to management. Observation revealed that standard

reports were not available. Key administrative staff could generate data dumps in Excel but would then need to use filters

to generate meaningful information.

This was not the case for Sheriff’s Office security metrics or fare inspector data. Both the Sheriff’s Office application and

the fare inspector’s application (FEATS) have adequate reporting capabilities to provide data used for management

reporting and operational decision making. Through inspection of reports, we were able to see statistics for fare evasion,

total ridership, and total passengers checked. The Sheriff’s monthly incident report included meaningful information on

individual events.

Further discussion with the Director, System Safety and Security and the Principal Safety Auditor, revealed that

IndustrySafe training gaps and limited sharing of best practices across departments may be responsible for Protective

Services’ inability to generate meaningful reporting. With recent organizational realignment, the System Safety and

Security Division obtained ownership of IndustrySafe and has plans to enhance training and disseminate best practices.

VTA should evaluate IndustrySafe reporting

to determine if it has sufficient incident

reporting capabilities. If it does not, VTA

should consider other reporting options such

as Crystal reports. If IndustrySafe does

have sufficient reporting capabilities, then

VTA should evaluate whether the application

has effectively been rolled out to all

departments and whether additional training

should be provided to ensure all users are

aware of and employing the full functionality

of the application.


recommendation. VTA will evaluate Industrysafe

and determine it capabilities in the area of

security related incident tracking, reporting and

forecasting.


Security, Manager of Protective Services

Programs, and Principal Safety Auditor



Status: Complete

Protective Services has evaluated the use of IndustrySafe and its incident

tracking and reporting capabilities and has determined that reporting

capabilities are adequate. Additional online training webinars, as well as

VTA specific business process documents and guidance, are available to

VTA personnel and have been rolled out to all departments.


2.3 VTA undergoes significant third party audits and reviews by both state and federal agencies that include significant

security and safety components. VTA also conducts a number of internal audits designed to monitor the effectiveness of

processes/controls as well as comply with third party requirements. Because of the volume of audits required, and the

need for administration and monitoring, VTA should be commended for their oversight of the audit process. However, it

may be beneficial if some audit administration and monitoring tasks were automated.

Through inquiry with System Safety and Security’s Principal Safety Auditor, it was revealed that IndustrySafe includes an

audit module that assists in automating audit administration and monitoring. Because the Principal Safety Auditor is a

newly instituted position, there has not

been time to fully investigate the audit module functionality. The Principal Safety Auditor will oversee safety audits while

the divisions’ Senior Management Analyst will continue to oversee security audits.

Both the Senior Management Analyst and the Principal Safety Auditor use schedules to monitor the calendar of audits. An

annual report is completed for the internal audit process every February, which provides a road map for audit planning and

completion. In addition, the Senior Management Analyst maintains a monthly Corrective Action Plan report that tracks

issues identified by an audit and the efforts to correct those issues. These procedures are primarily manual and tracked

through spreadsheets and MS Word documents.

We recommend evaluating the IndustrySafe

audit module to determine if it provides

additional functionality that improves the

operational efficiency of audit monitoring

through automating processes.


recommendation. VTA will evaluate Industrysafe

and determine its capabilities in the area of audit

functionality.


Security, Manager of Protective Services

Programs, and Principal Safety Auditor



Status: Complete

IndustrySafe does not currently have a dedicated audit module. Protective

Services and other VTA personnel use a number of standard IndustrySafe

reports which are included as part of the web-based reporting tool.

Protective Services will continue to evaluate IndustrySafe and its reporting

capabilities .

2 of 3

6.a


3.1 Jurisdictional Responsibilities and Mutual Protocol Agreements:

3.1 VTA’s jurisdictional responsibilities are complex because of its large service area and operating providing bus and light

rail services across Santa Clara county and the fifteen municipalities therein. VTA services also overlap with regional rail

services, such as Caltrain, that create additional complexity. As a result, defining jurisdictional responsibilities for security

related events is critical for effective and efficient incident response.

In 2011, a mutual protocol agreement was executed between the San Jose Police Department and the Santa Clara

County Office of the Sheriff. A section of the agreement defined jurisdictional responsibilities for VTA related incidents. An

updated agreement is in the process of being drafted. The execution of a mutual protocol agreement between the Sheriff’s

Office and the city of San Jose increases cooperation by clarifying law enforcement responsibilities.

With the impending implementation of BART SV service, VTA is drafting an Operations & Maintenance (O&M) Companion

Agreement to the existing BART/VTA Comprehensive Agreement will include a section to define jurisdictional

responsibility between BART police and VTA security.

It was also determined that jurisdictional cooperation with other municipalities is predicated on the experience and working

relationships that Transit Patrol has established. However no formal process has been implemented to evaluate whether

mutual protocol agreements with other municipalities should be pursued.

Because of the complexity of providing

transit security along the VTA footprint, we

recommend evaluating whether a process to

periodically assess the need for mutual

protocol agreements is necessary. The

mutual protocol agreement with the city of

San Jose is intuitive because 95% of calls

occur within San Jose, but there should be a

process to determine if mutual protocol

agreements with other municipalities should

be pursued.

A process that includes periodic

assessments provide a mechanism to

monitor changing demographics, as well as

the VTA footprint, to ensure that mutual

protocol agreements are pursued with high

value municipalities.

Another approach is consideration of

whether an educational document that

defines VTA security responsibilities could

be created and communicated to other law

enforcement agencies.


recommendation. VTA will evaluate the mutual

protocol agreements with overlapping

municipalities and/or feasibility of an educational

document that defines VTA security

responsibilities which could be communicated to

other law enforcement agencies. Further, VTA

will develop a procedure for periodic review of

changing demographics and population within the

VTA footprint.


Status: Complete

In April 2016 VTA entered into a mutual protocol agreement with the San

Jose Police Department in order to maintain the previous agreement

guidelines and clarify the responsibilities of both parties and the

responses to VTA property, facilities and vehicles. VTA monitors

demographics on a yearly basis and continually explores the need for

mutual protocol agreements with other municipalities.

4.1 Bart Go Live - Security Considerations:

The BART extension has the potential to create jurisdictional ambiguity between different transit and law enforcement

agencies. BART and VTA are drafting an O&M agreement to address some of these issues. Although the agreement has

not been executed, it calls for BART police to patrol the trains and VTA to provide security on platforms and station

facilities.

To enhance jurisdictional cooperation, VTA would like to establish a community policing center near the Berryessa station.

The value of a community policing center would be to establish a more consistent security presence in the area, enhance

cross-training opportunities and provide a venue for greater cooperation between different law enforcement agencies who

could use the center.

VTA should evaluate the costs and benefits

of a community policing station by assessing

best practice security approaches used at

other BART stations.


recommendation. VTA will evaluate benefits of a

community policing station by assessing best

practice security approaches used at other BART

stations.


Services Programs; Director of Safety and

Security and Captain Lera



Status: Complete

In preparation for the expansion of BART into Silicon Valley, VTA is

exploring memorandums of understanding with BART Police and the City

of Milpitas to define the responsibilities of each party. Under the proposed

agreement, BART Police will be responsible for all incidents inside BART

with VTA being responsible for all incidents outside BART. The BART

agreement is currently being finalized.

4.2 Bart Go Live - Security Considerations:

4.2 The BART extension will include extensive CCTV monitoring. BART security will monitor CCTV on trains and VTA

security will monitor CCTV on station platforms and parking lots. Each entity will own and managed security footage

recorded on their CCTV cameras.

CCTV is a powerful tool to record security events as well as deter potential security incidences. CCTV data/footage

sharing between BART and VTA is being discussed and the framework will be included in the O&M Companion

Agreement being developed.

Through review of VTA Policy OGC-PL-1001, Records Management, and its accompanying Attachment 1 – Retention

Schedule and discussion with VTA’s Director, System Safety and Security, it was noted that CCTV records are included

within the scope of the Policy and that the policy appears both reasonable and in compliance with Government Code

34090.8 and Assembly Bill 839. Further, as the Policy is intended to apply system-wide, it will continue to apply to all new

environments after BART go-live, in conjunction with parameters set forth within the O&M Companion Agreement.

Accordingly, it appears that no changes need be made to the policy to afford additional accommodations in light of the

forthcoming BART service.

VTA should evaluate CCTV recording

options and work with BART to share CCTV

recording data.


recommendation. VTA will evaluate CCTV

recording options and work with BART to share

CCTV recording data.






Status: Complete

VTA is in the process of installing fiber cables to allow for video review at

the River Oaks facility. Only one agency will record specific incidents, and

each agency will record video related to their own area of jurisdiction. The

expansion of BART into Silicon Valley will be managed using best practice

security practices used at other BART stations and coded into the O&M

Companion Agreement.

5.1 Calls for Service - Operational Responsibilities:

5.1 “911” calls go to the Sheriff’s Office or local police dispatch. Calls on light rail station platform blue phones go to the

Sheriff’s Office dispatch. Calls from bus or light rail operators are routed to OCC who then contacts Transit Patrol if there

is a high risk security concern. The Sheriff’s Office also has access to monitor OCC calls and would likely know about an

incident before the OCC contacted them.

VTAlerts, a phone/tablet application, is another tool that allows VTA customers and others to report problems through their

phone or tablet. VTAlerts is monitored by AB, who will respond and, if necessary, escalate higher risk incidents to law

enforcement.

It was revealed that the OCC does not have personnel that specifically manage incoming calls related to security issues.

Although security response times have not

been an issue, VTA should evaluate the

service call process to determine if

response times should be tracked and

reported.

Additionally, VTA should evaluate the

service call process to determine if the OCC

should have a dedicated personnel to

manage incoming security calls.


recommendation. VTA will evaluate the service

call process to determine if response times

should be tracked and reported. Further VTA will

evaluate the feasibility of having dedicated

security personnel in OCC to manage incoming

security related calls.






Status: Complete

Protective Services tracks incident response times as part of the service

call process. In addition, VTA has amended their current contract to allow

for additional staffing and more public safety resources at dedicated

locations such as light rail platforms and vehicles. These additional

resources have helped VTA to better manage incoming security calls.

3 of 3

6.a


BOARD MEMORANDUM



SUBJECT: Inventory and Assets Held at Outreach


ACTION ITEM

RECOMMENDATION:

Review and receive the Auditor General's report on the Inventory and Assets Held at Outreach.

BACKGROUND:

Since 1993, VTA has contracted with Outreach & Escort, Inc. (Outreach) to provide ADA Paratransit brokerage services.

During 2015 and 2016, as part of the Board-approved FY15 Internal Audit Work Plan, the Auditor General completed a Paratransit Operations Assessment that identified several high-risk findings, including VTA’s lack of access to paratransit source data and the Auditor General’s inability to verify the trip information provided by Outreach.

Based on the report, the VTA Board exercised the one-year notice of contract cancellation provision with Outreach, while concurrently initiating the competitive procurement process for replacement paratransit services.

In March 2017, as part of the transition and contract cancellation process, the Board approved this additional review to validate inventory and assets held by Outreach due to the importance of understanding which items VTA had ownership rights to.

7

of 2

DISCUSSION:

The objective of this review was to verify and physically observe a sample of high-dollar assets and inventory, determine the VTA funding sources for assets and inventory held at Outreach’s locations, assess VTA’s ownership rights to the assets and inventory, and determine whether those items should be returned to VTA at the conclusion of the paratransit services contract.

The Auditor General encountered several limitations during this review, including lack of responsiveness and proper documents from Outreach, denial of access to Outreach’s premises, litigation filed by VTA and by Outreach, and a Federal Bureau of Investigation execution of a search warrant on the Outreach headquarters.

An overall report rating of High was assigned to help management understand our assessment of controls related to assets and inventory financed or purchased with VTA funds. This was based on two observation categories: both judged as High risk. Our recommendations addressed the following areas: (1) VTA’s ability to identify and monitor assets, and (2) Outreach’s lack of adequate record keeping and contract compliance.

VTA management agreed with all Auditor General’s Office recommendations. It committed to implement all but one recommendations by the end of 2017, with the remaining one, which concerns VTA pursuing physical control and ownership of all relevant assets or reimbursement thereof, is projected to require until the end of 2018.

Recommendations of opportunities for improvement contained in this report were presented by the Auditor General for consideration of VTA management, which is responsible for the effective implementation of any action plans.

FISCAL IMPACT:


Prepared by: Lily Rogers, AG's Office & Stephen Flynn, Advisory Committee CoordinatorMemo No. 5979

ATTACHMENTS:

• A--Outreach Inventory & Assets (PDF)

7

Inventory and Assets Held by Outreach and Escort, Inc.

Auditor General Report No. 2017-04

May 09, 2017

7.a

Inventory and Assets Held by Outreach Auditor General Report Issued: May 4, 2017

2 © 2017 RSM US LLP. All Rights Reserved.

EXECUTIVE SUMMARY

ON THIS REVIEW;

Overall Rating (See Appendix A for definitions)

Report Rating

Number of Observations by Risk Rating

High Medium Low

Inventory and Assets Held by Outreach

High 2 0 0

Background

Since 1993, VTA contracted with Outreach & Escort, Inc. (Outreach) to

provide ADA Paratransit brokerage services. In FY16, the Auditor General

completed a Paratransit Operations Assessment that identified high-risk

finding, including VTA’s lack of access to paratransit source data and the

AG’s inability to verify the trip information provided by Outreach. Based on

the report, the VTA Board exercised the one-year notice of contract

cancellation provision with Outreach, while concurrently initiating the

competitive procurement process for replacement paratransit services.

In March 2017, as part of the transition and contract cancellation process, the

Board approved this additional review to validate inventory and assets held

by Outreach because of the importance of understanding the assets and

inventory held by Outreach to which VTA had ownership rights.

This review was performed in accordance with the Standards for Consulting

Services issued by the American Institute of Certified Public Accountants.

This report is intended for use by VTA’s Board of Directors, Governance &

Audit Committee, and management. Recommendations for improvement are

presented for management’s consideration, and management is responsible

for the effective implementation of corrective action plans.

Objective and Scope

The Auditor General’s Office performed fieldwork from November 2016

through March 2017, with the following objectives:

Verify and physically observe a sample of high-dollar assets and

inventory

Determine the VTA funding source for assets and inventory held at

Outreach’s locations (VTA funds and/or grant proceeds)

Assess VTA’s ownership rights to the assets and inventory, or

whether assets or inventory held by Outreach should be returned to

VTA at the conclusion of the paratransit services contract

Overall Summary and Review Highlights

The AG encountered several scope limitations during this review, including:

Lack of responsiveness and proper documents from Outreach to our

various requests

Denial of access to Outreach’s premises (although notice was

provided in accordance with the Contract terms)

Litigation filed by VTA and a counter-suit by Outreach, which delayed

access to requested records.

A Federal Bureau of Investigation execution of a search warrant on

the Outreach headquarters.

We were able to perform limited testing and verify certain fixed assets.

In addition, where necessary, we developed alternative audit procedures to

attempt to accomplish the established objectives. However, due to the above

limitations, we were not able to conclude whether Outreach had adequately

accounted for fixed assets or inventory purchased with VTA funds or grant

proceeds provided by VTA.

An overall report rating of High was assigned to help management

understand our assessment of controls related to assets and inventory

financed or purchased with VTA funds.

We would like to thank those who assisted us throughout this review.

Questions should be addressed to Bill Eggert in the VTA Auditor General’s

Office at [email protected].

7.a

mailto:[email protected]



OBSERVATIONS SUMMARY

Following is a summary of observations noted in the areas reviewed.

Definitions of the observation rating scale are included in Appendix A.

Ratings by Observation

Observation Title Rating

1. VTA’S ABILITY TO IDENTIFY AND MONITOR ASSETS

High

2. OUTREACH’S LACK OF ADEQUATE RECORD KEEPING AND CONTRACT COMPLIANCE High

7.a



DETAILED OBSERVATIONS

1. VTA’s Ability to Identify and Monitor Assets

Observation: VTA experienced challenges in identifying all Outreach fixed assets, due to lack of adequate records received from Outreach.

Recommendation: VTA develop a process to verify the sources of funding and ownership of assets for future Paratransit contracts.

Management’s Action Plan

Observation Rating: High

1.1 The Outreach Paratransit Services contract required that VTA be provided at the end of each fiscal year an updated list of inventoried VTA property, including disposed items (section 13.2).

Outreach provided these reports on occasion, but not on a regular basis, as required by the Contract. VTA did not have an effective process to monitor the receipt of the required monthly asset listings. VTA also did not exercise any of the Audit clauses in the Contract to periodically inspect the assets or financial records on-site at Outreach. A current Asset Register would allow VTA to verify:

Completeness and accuracy of items to which VTA has a contractual claim

Proper categorization as paratransit related

Disposal of assets no longer in use

1.1 For future agreements with third party Paratransit vendors, we recommend that VTA develop a process or utilize a system to tag specific assets and periodically exercise contractual audit rights to physically inspect and validate assets reported. By implementing such a process, VTA can better mitigate Paratransit vendor risk and protect ownership rights to assets funded by VTA.

The system or fixed assets register should contain adequate information to validate funding sources and ownership. Such documentation could include:

Unique identifying information, such as serial numbers

Expected useful life

Journal entries

Invoices and purchase support

Service contracts

Other asset documentation

1.1 Management agrees with the recommendation. The recently established Regional Transportation Services (RTS) department will be responsible for managing the process to ensure accurate asset information is provided to VTA both regularly and in a timely fashion. It will also ensure that all qualifying assets receive VTA assets tags and are appropriately recorded in VTA’s existing fixed asset inventory database. Staff will also monitor assets, as well as perform random asset audits and verifications.

Responsible Party: RTS, in conjunction with

Financial Accounting

Target Date: 12/31/2017

7.a



1. VTA’s Ability to Identify and Monitor Assets

Observation: VTA experienced challenges in identifying all Outreach fixed assets, due to lack of adequate records received from Outreach.

Recommendation: VTA develop a process to verify the sources of funding and ownership of assets for future Paratransit contracts.

Management’s Action Plan

1.2 VTA entered into multiple Cooperative Agreements with Outreach for grants funds, including the FTA’s “Veterans Transportation and Community Living Initiative” (VTCLI) and “Lifeline Transportation Program” (LTP) programs. Reimbursed expenses under the Agreements frequently included purchases of fixed assets and other equipment inventory that was not formally reported by Outreach or tracked centrally by VTA.

1.2 We recommend that Grants Management develop and implement enhanced procedures to monitor funds passed through to third parties, in compliance with applicable Cooperative Agreements.

1.2 VTA agrees. This issue was identified by the Federal Transit Administration (FTA) in VTA’s 2014 Triennial Review. In response, VTA developed standard terms and conditions to be included in all third party agreements, which were fully implemented by early 2015. VTA’s agreements with Outreach reviewed by the Auditor General were executed prior to development of these standard terms and conditions. VTA also intends to develop improved protocols to monitor funding provided to third-party recipients.

Responsible Party: Programming, Grants and

Administration Department


7.a



2. Outreach’s Lack of Adequate Record Keeping and Contract Compliance

Observation: Outreach did not provide all requested financial and other supporting records, and as a result, we were unable to independently verify and inspect certain assets.

Recommendation: We recommend that VTA enhance its processes for paratransit service-related recordkeeping and assets monitoring.

Management’s Response and Action Plan:

Observation Rating: High

2.1 The AG developed an alternative audit procedure since there was no Fixed Assets Register available. We compiled a list of assets from Paratransit and grants invoices sent to VTA between 2012 and 2015. The asset compilation did not include all assets to which VTA may have an ownership claim. Asset Verification - We selected 53 assets and physically observed 45 assets valued at $166,000. These assets included server equipment, GPS units, phones, work stations, desks, computer monitors, chairs and other office equipment. The remaining eight (8) assets with an invoice value of $44,000 were not located by Outreach during our onsite visit, nor identified afterwards.

2.1 To date, Outreach has not provided or returned any asset types to VTA. We recommend that VTA continue to pursue physical control and ownership of all relevant computer, fleet, furniture, and other assets. In addition, we recommend that VTA consider pursuing reimbursement of costs or a claim for the assets to which VTA has ownership rights.

2.1 Management agrees. VTA will continue pursuing physical control and ownership of all relevant assets or reimbursement thereof, including through legal remedies as necessary, as is reasonably prudent.

Responsible Party: RTS, in collaboration with

General Counsel’s Office


2.2 Fleet Observation – VTA Operations provided an inventory of 302 fleet vehicles used for paratransit operations. We physically verified the existence of 301 vehicles. We were informed that the remaining one vehicle might have been in a repair shop. However, we also identified an additional 32 vehicles on VTA and County property that were not included on the VTA’s Fleet Register.

2.2 We recommend that VTA update the Fleet Register to include all fleet vehicles, whether active or decommissioned, and physically verify the fleet on a periodic basis.

2.2 Management agrees with the recommendation. The RTS department will update the Fleet Register to include all vehicles, both active and decommissioned. In addition, it will physically verify the existence and location of all fleet vehicles on a periodic basis.

Responsible Party: RTS


7.a



2. Outreach’s Lack of Adequate Record Keeping and Contract Compliance

2.3 Computers - We were informed by Outreach that certain computers stored offsite might still contain paratransit clients’ Personally Identifiable Information (PII). We were not able to verify this due to lack of access to the facilities. However, this would not comply with VTA’s policy to scrub any equipment of PII before disposal.

2.3 We recommend that VTA develop a process to determine whether off-site or non-used computers and equipment held by the vendor should be tested or evaluated by other means to ensure that all Personally Identifiable Information (PII) has been appropriately removed.

2.3 VTA agrees with the concept. However, the Outreach computers and servers are all password protected and therefore without the administrator rights to the equipment we cannot evaluate the content on the equipment. Once VTA take physical control of the computer equipment the devices can be reformatted and rebuilt to be redeployed as any VTA asset. Following VTA’s existing computer equipment decommissioning procedure, all data is wiped from any system or piece of equipment prior to being scrapped or sold.

Responsible Party: RTS, in collaboration with

the Information Technology department

Target Date: Immediate and on-going implementation as VTA is given access to the assets

7.a



APPENDIX A—RATING DEFINITIONS

Observation Risk Rating Definitions

Report Rating Definitions

Rating Definition Rating Explanation

Low

Process improvements exist but are not an immediate priority for VTA. Taking advantage of these opportunities would be considered best practice for VTA.

Low

Adequate internal controls are in place and operating effectively. Few, if any, improvements in the internal control structure are required. Observation should be limited to only low risk observations identified or moderate observations which are not pervasive in nature.

Medium

Process improvement opportunities exist to help VTA meet or improve its goals, meet or improve its internal control structure, and further protect its brand or public perception. This opportunity should be considered in the near term.

Medium

Certain internal controls are either:

Not in place or are not operating effectively, which in the aggregate, represent a significant lack of control in one or more of the areas within the scope of the review.

Several moderate control weaknesses in one process, or a combination of high and moderate weaknesses which collectively are not pervasive.

High

Significant process improvement opportunities exist to help VTA meet or improve its goals, meet or improve its internal control structure, and further protect its brand or public perception presents. This opportunity should be addressed immediately.

High

Fundamental internal controls are not in place or operating effectively for substantial areas within the scope of the review. Systemic business risks exist which have the potential to create situations that could significantly impact the control environment.

Significant/several con

governance and audit committeevtaorgcontent.s3-us-west-1.amazonaws.com/site_content/... · 2017. 5....

Documents